Cybersecurity 2025

SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC

who, without reasonable excuse, fails to comply with this obligation shall be guilty of an offence and liable on conviction to a fine not exceeding the greater of SGD200,000 or 10% of the annual turnover of the person’s business in Singapore. As the provisions relating to the obligations for major FDI service providers have yet to come into force, there are no enforcement decisions against major FDI service providers for the failure to comply with the Cybersecurity Act. 3.5 International Data Transfers There are no specific obligations imposed by MAS in relation to financial institutions carrying out international data transfers. However, gen - erally, organisations transferring personal data overseas must comply with Section 26 of the PDPA. Under Section 26, organisations need to ensure that the personal data transferred over - seas is accorded a standard of protection that is comparable to the protection under the PDPA. Under the Personal Data Protection Regula - tions 2021 (the “PDP Regulations”), the trans - ferring organisation must take appropriate steps to ascertain whether, and to ensure that, the recipient of the personal data is bound by legally enforceable obligations to provide to the transferred personal data a standard of protec - tion that is at least comparable to the protection under the PDPA. “Legally enforceable obligations” include any of the following obligations which are imposed on the recipient of the personal data under: • any law; • any contract requiring the recipient to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the PDPA

and specify the countries and territories to which the personal data may be transferred under the contract; • any binding corporate rules that require every recipient of the transferred personal data that is related to the transferring organisation to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the PDPA; and which specifies: (a) the recipients of the transferred personal data to which the binding corporate rules apply; (b) the countries and territories to which the personal data may be transferred under the binding corporate rules; and (c) the rights and obligations provided by the binding corporate rules; and • any other legally binding instrument, includ - ing the Asia‑Pacific Economic Cooperation (APEC) Privacy Recognition for Processors System or the APEC Cross Border Privacy Rules System, which are recognised under the PDP Regulations as one of the modes of transferring data overseas. The transferring party is required to specify the countries and territories to which the personal data may be transferred under the contract if the party relies on imposing contractual obligations on the recipient for the data transfer. A transferring party has taken the appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide the personal data transferred a standard of protec - tion that is comparable to that under the PDPA if: • the data subject whose personal data is to be transferred gives their consent to the transfer of their personal data, after being provided with a reasonable summary in writing of the

236 CHAMBERS.COM

Powered by